Security features for Cosmos DB.
Set up the variables:
cp config/template.tfvars .auto.tfvars
Set your IP address in cosmos_ip_range_filter
.
Create the resources:
terraform init
terraform apply -auto-approve
Use the Go SDK client in the /client
directory to send data to Cosmos.
Create the .env
file:
COSMOS_ENDPOINT="https://<COSMOS NAME>.documents.azure.com:443/"
Run the client:
go get
go run .
For data operations there are only two built-in role definitions:
Cosmos DB Built-in Data Reader
Cosmos DB Built-in Data Contributor
Since Diagnostics has been enabled, troubleshooting can be performed using Azure Monitor.
This query will filter for data plane requests in the AzureDiagnostics
table. With Entra ID authentication it is possible to audit users that access data in Cosmos DB accounts.
💡 For this scenario, local authentication should be disabled and users would have to use Entra ID
AzureDiagnostics
| where Category == "DataPlaneRequests" and TimeGenerated > ago(1h)
| project TimeGenerated, aadPrincipalId_g, Resource, OperationName, requestResourceId_s, statusCode_s, clientIpAddress_s, authTokenType_s, keyType_s
The database will created with CMK:
Log collection is enabled:
Network IP filtering:
When done, clean up the resources:
terraform destroy -auto-approve